Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.
At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”
Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.
Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.
But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.
One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.
Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.
“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”
Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”
The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.
First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.
In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel.
Viehböck said none of the router makers appear to have issued firmware updates to address the vulnerability. The US-CERT advisory makes no mention of updates from hardware vendors. The advisory also says little about which models may be affected, but if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in.